quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
297s
max time network
313s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (103) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral26/memory/4592-1-0x0000000000C80000-0x0000000000CEC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1344	Client.exe
1108	Client.exe
4904	Client.exe
1556	Client.exe
4520	Client.exe
1900	Client.exe
1984	Client.exe
3812	Client.exe
2412	Client.exe
1156	Client.exe
2832	Client.exe
4232	Client.exe
1728	Client.exe
2712	Client.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
37	ip-api.com
18	ip-api.com
28	ip-api.com
31	ip-api.com
33	ip-api.com
12	ip-api.com
14	ip-api.com
23	ip-api.com
25	ip-api.com
35	ip-api.com
20	ip-api.com
2	ip-api.com
10	api.ipify.org
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2420	1344	WerFault.exe	Client.exe
1972	1108	WerFault.exe	Client.exe
2160	4904	WerFault.exe	Client.exe
4460	1556	WerFault.exe	Client.exe
1964	4520	WerFault.exe	Client.exe
5096	1900	WerFault.exe	Client.exe
1680	1984	WerFault.exe	Client.exe
4460	3812	WerFault.exe	Client.exe
4048	2412	WerFault.exe	Client.exe
3168	1156	WerFault.exe	Client.exe
960	2832	WerFault.exe	Client.exe
5060	4232	WerFault.exe	Client.exe
4368	1728	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

SCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2836	SCHTASKS.exe
3748	schtasks.exe
5048	schtasks.exe
1748	schtasks.exe
1956	schtasks.exe
4924	schtasks.exe
2560	schtasks.exe
4460	schtasks.exe
1660	schtasks.exe
3796	schtasks.exe
4172	schtasks.exe
3312	schtasks.exe
1472	schtasks.exe
804	schtasks.exe
1876	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4072	PING.EXE
3008	PING.EXE
2792	PING.EXE
736	PING.EXE
1396	PING.EXE
1836	PING.EXE
3216	PING.EXE
736	PING.EXE
4960	PING.EXE
1596	PING.EXE
2584	PING.EXE
3756	PING.EXE
3240	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Uni - Copy (103) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4592	Uni - Copy (103) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	1344	Client.exe
Token: SeDebugPrivilege	1108	Client.exe
Token: SeDebugPrivilege	4904	Client.exe
Token: SeDebugPrivilege	1556	Client.exe
Token: SeDebugPrivilege	4520	Client.exe
Token: SeDebugPrivilege	1900	Client.exe
Token: SeDebugPrivilege	1984	Client.exe
Token: SeDebugPrivilege	3812	Client.exe
Token: SeDebugPrivilege	2412	Client.exe
Token: SeDebugPrivilege	1156	Client.exe
Token: SeDebugPrivilege	2832	Client.exe
Token: SeDebugPrivilege	4232	Client.exe
Token: SeDebugPrivilege	1728	Client.exe
Token: SeDebugPrivilege	2712	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1344	Client.exe
1108	Client.exe
4904	Client.exe
1556	Client.exe
4520	Client.exe
1900	Client.exe
1984	Client.exe
3812	Client.exe
2412	Client.exe
1156	Client.exe
2832	Client.exe
4232	Client.exe
1728	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (103) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4592 wrote to memory of 1660	4592	Uni - Copy (103) - Copy - Copy - Copy.exe	schtasks.exe
PID 4592 wrote to memory of 1660	4592	Uni - Copy (103) - Copy - Copy - Copy.exe	schtasks.exe
PID 4592 wrote to memory of 1660	4592	Uni - Copy (103) - Copy - Copy - Copy.exe	schtasks.exe
PID 4592 wrote to memory of 1344	4592	Uni - Copy (103) - Copy - Copy - Copy.exe	Client.exe
PID 4592 wrote to memory of 1344	4592	Uni - Copy (103) - Copy - Copy - Copy.exe	Client.exe
PID 4592 wrote to memory of 1344	4592	Uni - Copy (103) - Copy - Copy - Copy.exe	Client.exe
PID 4592 wrote to memory of 2836	4592	Uni - Copy (103) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4592 wrote to memory of 2836	4592	Uni - Copy (103) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4592 wrote to memory of 2836	4592	Uni - Copy (103) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1344 wrote to memory of 4172	1344	Client.exe	schtasks.exe
PID 1344 wrote to memory of 4172	1344	Client.exe	schtasks.exe
PID 1344 wrote to memory of 4172	1344	Client.exe	schtasks.exe
PID 1344 wrote to memory of 2036	1344	Client.exe	cmd.exe
PID 1344 wrote to memory of 2036	1344	Client.exe	cmd.exe
PID 1344 wrote to memory of 2036	1344	Client.exe	cmd.exe
PID 2036 wrote to memory of 4728	2036	cmd.exe	chcp.com
PID 2036 wrote to memory of 4728	2036	cmd.exe	chcp.com
PID 2036 wrote to memory of 4728	2036	cmd.exe	chcp.com
PID 2036 wrote to memory of 2792	2036	cmd.exe	PING.EXE
PID 2036 wrote to memory of 2792	2036	cmd.exe	PING.EXE
PID 2036 wrote to memory of 2792	2036	cmd.exe	PING.EXE
PID 2036 wrote to memory of 1108	2036	cmd.exe	Client.exe
PID 2036 wrote to memory of 1108	2036	cmd.exe	Client.exe
PID 2036 wrote to memory of 1108	2036	cmd.exe	Client.exe
PID 1108 wrote to memory of 3748	1108	Client.exe	schtasks.exe
PID 1108 wrote to memory of 3748	1108	Client.exe	schtasks.exe
PID 1108 wrote to memory of 3748	1108	Client.exe	schtasks.exe
PID 1108 wrote to memory of 2976	1108	Client.exe	cmd.exe
PID 1108 wrote to memory of 2976	1108	Client.exe	cmd.exe
PID 1108 wrote to memory of 2976	1108	Client.exe	cmd.exe
PID 2976 wrote to memory of 4092	2976	cmd.exe	chcp.com
PID 2976 wrote to memory of 4092	2976	cmd.exe	chcp.com
PID 2976 wrote to memory of 4092	2976	cmd.exe	chcp.com
PID 2976 wrote to memory of 4960	2976	cmd.exe	PING.EXE
PID 2976 wrote to memory of 4960	2976	cmd.exe	PING.EXE
PID 2976 wrote to memory of 4960	2976	cmd.exe	PING.EXE
PID 2976 wrote to memory of 4904	2976	cmd.exe	Client.exe
PID 2976 wrote to memory of 4904	2976	cmd.exe	Client.exe
PID 2976 wrote to memory of 4904	2976	cmd.exe	Client.exe
PID 4904 wrote to memory of 4924	4904	Client.exe	schtasks.exe
PID 4904 wrote to memory of 4924	4904	Client.exe	schtasks.exe
PID 4904 wrote to memory of 4924	4904	Client.exe	schtasks.exe
PID 4904 wrote to memory of 3408	4904	Client.exe	cmd.exe
PID 4904 wrote to memory of 3408	4904	Client.exe	cmd.exe
PID 4904 wrote to memory of 3408	4904	Client.exe	cmd.exe
PID 3408 wrote to memory of 1892	3408	cmd.exe	chcp.com
PID 3408 wrote to memory of 1892	3408	cmd.exe	chcp.com
PID 3408 wrote to memory of 1892	3408	cmd.exe	chcp.com
PID 3408 wrote to memory of 736	3408	cmd.exe	PING.EXE
PID 3408 wrote to memory of 736	3408	cmd.exe	PING.EXE
PID 3408 wrote to memory of 736	3408	cmd.exe	PING.EXE
PID 3408 wrote to memory of 1556	3408	cmd.exe	Client.exe
PID 3408 wrote to memory of 1556	3408	cmd.exe	Client.exe
PID 3408 wrote to memory of 1556	3408	cmd.exe	Client.exe
PID 1556 wrote to memory of 3796	1556	Client.exe	schtasks.exe
PID 1556 wrote to memory of 3796	1556	Client.exe	schtasks.exe
PID 1556 wrote to memory of 3796	1556	Client.exe	schtasks.exe
PID 1556 wrote to memory of 2328	1556	Client.exe	cmd.exe
PID 1556 wrote to memory of 2328	1556	Client.exe	cmd.exe
PID 1556 wrote to memory of 2328	1556	Client.exe	cmd.exe
PID 2328 wrote to memory of 2836	2328	cmd.exe	chcp.com
PID 2328 wrote to memory of 2836	2328	cmd.exe	chcp.com
PID 2328 wrote to memory of 2836	2328	cmd.exe	chcp.com
PID 2328 wrote to memory of 1396	2328	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1660

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vu734we2OULJ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4728

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2792

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yFdS4VolOjWz.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4092

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4960

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E1aqvcsU9aj4.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1892

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:736

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iRqknNNzZiaK.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2836

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1396

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4520

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LNtx0poCiPiI.bat" "
11⤵
PID:3188

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4584

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1836

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyU6sl6onPFx.bat" "
13⤵
PID:700

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:456

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1596

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyOBIYGGGkWF.bat" "
15⤵
PID:1560

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4720

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4072

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3812

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OI6qVMGhkA01.bat" "
17⤵
PID:4368

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2132

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2584

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwaCQjDre3Qg.bat" "
19⤵
PID:3880

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2656

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3008

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dpCBHwA7FKTx.bat" "
21⤵
PID:3748

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4932

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3216

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQnK8sRjLK0c.bat" "
23⤵
PID:3888

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4504

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3240

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8MqXMKswU28b.bat" "
25⤵
PID:3980

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3200

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:736

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LataZ2zo82mB.bat" "
27⤵
PID:4192

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3212

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3756

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1708
27⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1732
25⤵
- Program crash
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1092
23⤵
- Program crash
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1748
21⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2180
19⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1724
17⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1700
15⤵
- Program crash
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 2232
13⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 2240
11⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1720
9⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 2248
7⤵
- Program crash
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 2236
5⤵
- Program crash
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1680
3⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1344 -ip 1344
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1108 -ip 1108
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4904 -ip 4904
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1556 -ip 1556
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4520 -ip 4520
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1900 -ip 1900
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1984 -ip 1984
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3812 -ip 3812
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2412 -ip 2412
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1156 -ip 1156
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2832 -ip 2832
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4232 -ip 4232
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1728 -ip 1728
1⤵
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8MqXMKswU28b.bat
Filesize
207B

MD5
9e4c99f8d8294c8505b6e246de85a9f5

SHA1
c7516450fc9e4ad4825e41f54d5cdc11975f2bbd

SHA256
048b5589cbbbb96b4e924183de80b834cb55f9d99839866148c373df423ba7fe

SHA512
1ae8c48a12deab858e38375a3bcab57510e476336cce9b0928a25ad240c488170684677bce77549a97cef8858e9bf33e47a57165f11f11d2380d29517d9067a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwaCQjDre3Qg.bat
Filesize
207B

MD5
ada6f7246bbc70ebf02c0d2c267e7c69

SHA1
b3078767a06eb5b98f1aeef8ab1699a788d7cccb

SHA256
0d3fd1cbce9888f364bd14fc72a4fedbc3ea630286e6650ccd24eb9e34505189

SHA512
14e226c54518140f22576282a4c3220e992d6fa5fc8b9ef9ca49ffde764ad91fd07a67e7a34a6aa6ed00ea005cd348595da58277c7beaec8551baaca143f288b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DyU6sl6onPFx.bat
Filesize
207B

MD5
dd9de4defc21e2dc54dd565a217eded3

SHA1
a68b5bdbe87ddbcb259b05e5efe45e26395b6c2b

SHA256
aa298c99ded14fdc81a44f7ab731ffdb295b9dc54bbaea4abe8822d248ac9139

SHA512
41a933595f78d7d4234ffac445b5c566fde60b43c6b7bc5b08920d027fd07cedcfec00f2ba6fecf4e9ac47452fdc3cf75358fca555503f6a34d098e002e0f7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1aqvcsU9aj4.bat
Filesize
207B

MD5
2f2d3da11850ac74a01410fd124fb3ae

SHA1
63bd04fe4507d00a44b8b2474c0c986ebcdf91dd

SHA256
673d75050e942a7e7a068a9f641217a202aa3b0fbe3a88866117d8d425d9e694

SHA512
4461abbbac0dac733b563d199f130aaf6490372365879724f14cc7a441862363c151501b7afb16da522429fe8ef6ef38f90f40c19d378261fdf15416d5e07b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\LNtx0poCiPiI.bat
Filesize
207B

MD5
6897926074c9900ad7e423c4507b5d74

SHA1
c3c100dbf7aa6b3a025a8a15a94d0b11c3ead5f2

SHA256
86a838d8f1474c8de577497693458545ea0ceff50b990c1f2b52dcd3142d8467

SHA512
dfea7cce6aae59950130bb9ab73fa89462e0b879d2eb5eb7db92dd021cf67a28f2fd2e28a506200507e9d6dd928d3998901f2040b7dcf88b3fa1677211f02897

Download Submit
C:\Users\Admin\AppData\Local\Temp\LataZ2zo82mB.bat
Filesize
207B

MD5
a75835aab28ec7f5ca674eff57324150

SHA1
cfd3848d353f6d9b304ff7fc8e3eeefa01a93cc7

SHA256
b638b7b32d0b205df732b8f7cd196ec9363969b7699dc6ea7902fb61114cb246

SHA512
688926df92d00126e2f9babc517f3fddafbca345dd2e03e71fec722aee5bd6292c1a7c83c42896aff968824e43320c5159d6b48aff89e4ea4235acade64e53d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI6qVMGhkA01.bat
Filesize
207B

MD5
737cce646781fef14dcce90bf2787a6d

SHA1
0bdbabc9ed5deebccecdfa45fd028faca4f741f4

SHA256
c51e33d65b88e749a69a9d9135af8e582f58f9e88f28adbb6bd82f8259607964

SHA512
60de1cdca3cd67477d8a132710af6bee6d7a52a8b6fc44105029b252845bfcf5c48520a183999425fe5531c4935aa580f5fc3f2471292142e491be18609596dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQnK8sRjLK0c.bat
Filesize
207B

MD5
0a5e2fdb1e83bce45557ef844436cdc7

SHA1
4898d8b88b2d3e539de3dceccb554212f99b00fc

SHA256
09aca1a4c57b9c20b1587edb0a8152511d4f30ad42c79663fe3eccb96777edc7

SHA512
fdc3dd3ad6c6a0134041419f4d7b2e5bdab73f1df350af95ccf05dedb950d9db4e5e4397fb5f9341aeb8a6f9d4d1d519833dd6998cdbafd1927ce25f0afb71b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vu734we2OULJ.bat
Filesize
207B

MD5
35f55b2fde4a22bb9b9885b27606cccf

SHA1
8fe9e796d1116fd3f227a29f1a8d796e730e26ec

SHA256
01a7aea4af0e4b3cedd093ea4d8403bd02b8ee88455e7d9edbee15b8fd262bc7

SHA512
3d9fa5eb9f967cc002a8a235274d2a4448b1a0353a579226ddb580ac71c5ed74ef8a4324df7efc397ab455e12265b1c342edd697ee62d4bb70cfa814e67b55a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpCBHwA7FKTx.bat
Filesize
207B

MD5
3dfbba1ccf4dcf6e8a5d26820dd39cb3

SHA1
1c3a0bded719df9f021a99c0514df6aede6d7f8f

SHA256
41a9d3eeb199aa12e2d838092e4e0577fa594d988d0c9ce55db45b3056831e20

SHA512
e82f1ea11cbba1830fc2311f5eafb11d0f2fc2a4b79f35038a330f5e02dce97a3ba2990a979d6d474c2004629da54504f520f4803cc29c25d00621fc14b13eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRqknNNzZiaK.bat
Filesize
207B

MD5
f296d7ad0562a3c997f8e2ec0e2fabdd

SHA1
2e97122f1ceb990757e56dd282b34830ddcba0d0

SHA256
22d39e6a9954fe3459e954d0eae5976a65b5feaede5eaf89b258e32a71991f16

SHA512
dc62c9f47bdb35dc711f8c3d733c84605fb428ed2c936f27d822284dc850b435f5e5f8710ba4b6ea47f3e3f909dbb682c8574e2679f7389827768a6eb2f4bf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\yFdS4VolOjWz.bat
Filesize
207B

MD5
b29929c71bf66aff827d5f1a0912b15c

SHA1
facdb738f21b6bdd6cbe04e16d444bded9a783c6

SHA256
01bf86b535ef0fd76e74543c15b081bdd204dd02482457f248866ab85dc414d2

SHA512
92c0ab288bd355a0096c9c5e629930ad1b2564330fe0bae79901b156c623f918753b122402a3b7ccd8c6fcdfc3af4f636ecd1e5264e8e9af8dc0395002194d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyOBIYGGGkWF.bat
Filesize
207B

MD5
b7d9d8d3c33e5ffd26d646d8e7572dcb

SHA1
d92234fdd7f1d343a2357ed1f09c7f293c12f7c7

SHA256
a1809f6c7acddc05f0d44316bc31cd83fbf7b19694aac1e3cb4c3cc460d4d295

SHA512
c4d9778333278b05b8eab0ec2b1cff2e404df707ecd45efa58a506b3bf45c2ce1f579bc57061a606c028a7b25ef2efd776ba0980f4f767acf23480a844a6db4a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0f22b3e9adc37eca2e3f4e4421c90584

SHA1
3c98f7d4921d456e1fef0536bab075b7dd6802a9

SHA256
bfd09b125977f800373eaffe18c8a5700c3fb3a652be082cb1daeb6da3e1bca9

SHA512
e9d6c666c14345b83d6ae25af69e3a9d92c90920815db2c1a0e09983b675339cfcad4e631f17a98ce171cff614b335061579f4c879812d50480a5ae71e638b83

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
1ddc66fc9c73db07581bd838d85fcf4d

SHA1
f5ab114008a4594c7ea72a7b24d1aec4e0e79536

SHA256
e9d22af378ed71e9cff342c63f9fdc65c9fc49988fe8fd6b47c640d873627184

SHA512
de1626a99b3087555011921f4721c1dea8757a3b914731120889198ca8dc6e6ec5db85884a31e730d799ca5caa8439b8b4554914fcad08f13105487550e5b8c1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
d9e5369dbff16d693563dffaf11a2ce7

SHA1
fde9c7420a2ab7efc6d80d802102df9e6867168d

SHA256
c61e9e9290eb86f1c422ea60465cded7065f935691a0be30837fb62abe2a14a3

SHA512
4bc4afdd7ec2031e79babc7bc0b6bdb8ad8fa684e3198a21b029488545141093a61447d5553d973f740885fdb84ebf7e214c91c6672ebbbbae129916033146ed

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
9262161f4352c63a61e1df9130ed2a86

SHA1
2de05636d466f82be615d507f284964ab185f796

SHA256
49e65fb881d6b6fe6851d10b325fa325fc0fb5a4ec47c7e8c11f2f3fcd4ee1f5

SHA512
84c5ba0dcc6318be42a5ca41f3c8dc6db616caac8a57de6bdac8a83c69a7f148c623ccc68e60ac439c8bb48446dd5f9482c0fb06e2f6a7be0a306525042139a4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
9e04868ba28b2548ca5652e484ac3bfc

SHA1
bdc3919339f96aaca110cf4bcab5636950be89ae

SHA256
6d620485d3a3a46086a2c378062fb51110bed9594c42fca35bf52acacfaa7066

SHA512
952c0dfef770dc430e9f3a617c9c3fa8aa634591b50054b55e87c73d045adcbc6b24760b6ee8f46c8e765dc3eda2992d7f364188f961d67e339ecac876ae79aa

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
732f0ed09de35d97cf8252a737f43b96

SHA1
6305f8435bca3550912417f7be6e766c7ebf6b32

SHA256
e087cb24144e75ab1c50dccd34493a2c7064f5aa1445f4d35d9620dea140373e

SHA512
0b981baa9f5156349b150dc7e3e2da73eda3a69e660eb2e81933ebaa2dc8af205ee21b8cc464bab09bd6cc3e13c06b06464db89a36c79b7e49155c349eb7e3e6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1344-24-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1344-19-0x00000000065C0000-0x00000000065CA000-memory.dmp

Filesize
40KB

Download
memory/1344-17-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1344-14-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4592-7-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/4592-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/4592-6-0x0000000006510000-0x0000000006522000-memory.dmp

Filesize
72KB

Download
memory/4592-8-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4592-5-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/4592-4-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4592-3-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/4592-16-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4592-2-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/4592-1-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download